Share this story

A Pakistani man bribed AT&T call-center employees to install malware and unauthorized hardware as part of a scheme to fraudulently unlock cell phones, according to the US Department of Justice. Muhammad Fahd, 34, was extradited from Hong Kong to the US on Friday and is being detained pending trial.

An indictment alleges that "Fahd recruited and paid AT&T insiders to use their computer credentials and access to disable AT&T's proprietary locking software that prevented ineligible phones from being removed from AT&T's network," a DOJ announcement yesterday said. "The scheme resulted in millions of phones being removed from AT&T service and/or payment plans, costing the company millions of dollars. Fahd allegedly paid the insiders hundreds of thousands of dollars—paying one co-conspirator $428,500 over the five-year scheme."

In all, AT&T insiders received more than $1 million in bribes from Fahd and his co-conspirators, who fraudulently unlocked more than 2 million cell phones, the government alleged. Three former AT&T customer service reps from a call center in Bothell, Washington, already pleaded guilty and agreed to pay the money back to AT&T.

The first indictment against Fahd was filed in November 2017, and he was arrested in Hong Kong at the request of the United States in February 2018, but the case was just unsealed yesterday. Fahd is facing 14 charges in US District Court for the Western District of Washington. The charges are conspiracy to commit wire fraud, conspiracy to violate the Travel Act and the Computer Fraud and Abuse Act, four counts of wire fraud, two counts of accessing a protected computer in furtherance of fraud, two counts of intentional damage to a protected computer, and four counts of violating the Travel Act.

AT&T generally locks phones to its network, preventing them from being used with other carriers. AT&T grants customers' unlock requests after they've paid off their contracts or device installment plans.

If a phone is unlocked before it has been paid off, resulting in a customer switching to another carrier, AT&T might not be able to collect the rest of the payments, a DOJ indictment of Fahd noted.

"Unlocked phones were a valuable commodity because they could be resold and used on any other compatible network around the world... When phones were unlocked fraudulently without AT&T's authorization and customers switched service to other carriers, the fraudulent transactions deprived AT&T of the stream of payments that were due under the service contracts and installment plans," the indictment said.

The alleged conspiracy involved "the installation of malware and unauthorized hardware on AT&T's internal network," which Fahd and co-conspirators used to sell fraudulent phone-unlocking services to the general public, the indictment said.

Former AT&T workers pleaded guilty

Three now-former AT&T employees cooperated with the government and pleaded guilty to charges related to the conspiracy, and they are expected to testify at trial against Fahd, a court document said. Their names are Kyra Evans, DeVaughn Woods, and Marc Sapatin. All three agreed to pay financial penalties that will be transferred to AT&T, but they could also face prison time after their November 1 sentencing hearings.

"We have been working closely with law enforcement since this scheme was uncovered to bring these criminals to justice and are pleased with these developments," AT&T told Ars.

We asked AT&T if it made any security improvements to prevent this from happening again, but we did not receive an answer. An AT&T spokesperson said that the scheme did not result in improper access to customer information.

The DOJ also charged Ghulam Jiwani, one of Fahd's alleged co-conspirators. Jiwani was arrested in Hong Kong, "but died prior to being transferred to United States custody," a court document said. The charges against him were dropped as a result of his death.

Fahd and Jiwani had other co-conspirators "known and unknown to the Grand Jury," the indictment said.

Evans, Woods, and Sapatin apparently were not the only AT&T employees who allegedly were involved in the scheme. The DOJ alleges that "between 2012 and 2017, Fahd recruited various AT&T employees to the conspiracy. Some early recruits were paid to identify other employees who could be bribed and convinced to join the scheme. So far, three of those co-conspirators have pleaded guilty admitting they were paid thousands of dollars for facilitating Fahd's fraudulent scheme."

Fahd and his co-conspirators instructed AT&T employees "to create shell companies and open business banking accounts in the names of the shell companies" in order to receive their bribes, the indictment said.

More details from the indictment

The scheme began in April 2012 when Fahd and his co-conspirators gave the bribed AT&T employees "instructions... including lists of cellular telephone international mobile equipment identity (IMEI) numbers for the insiders to submit for fraudulent and unauthorized unlocking," the indictment said.

The alleged malware-planting part of the conspiracy began around April 2013. Fahd, Jiwani, and others allegedly "bribed insiders to plant malware on AT&T's internal protected computers for the purpose of gathering confidential and proprietary information on how AT&T's computer network and software applications functioned."

Fahd and his co-conspirators used this information to create "additional malware designed to interact with AT&T's internal protected computers and process fraudulent and unauthorized unlock requests submitted... from remote servers controlled by members of the conspiracy," the indictment said.

With this malware, Fahd and his crew were able to "log into AT&T's internal protected computers under false pretenses and to process fraudulent and unauthorized unlock requests," the indictment said.

From November 2014 to September 2017, Fahd and others allegedly bribed AT&T insiders "to install unauthorized computer hardware devices, including wireless access points designed to provide the conspiracy with unauthorized access to AT&T's internal protected computers." With these hardware devices, Fahd and others "facilitate[d] the automated process of submitting fraudulent and unauthorized unlock requests on behalf of the conspiracy."

If they didn't unethically lock their phones in the first place, criminals couldn't set up conspiracy rings to unlock them. When you sign a contract and are on a payment plan for a phone, you are still on the hook for the cost of the phone, regardless of whether you cancel the service or not, so whether the phone is unlocked or not is irrelevant. Locking the phone is purely an anti-competitive measure.

If a phone is unlocked before it has been paid off, resulting in a customer switching to another carrier, AT&T might not be able to collect the rest of the payments, a DOJ indictment of Fahd noted.

Don't AT&T plans have huge ETFs that they hit you with if you cancel before the end of the contract period? Or were these guys unlocking unactivated phones that were somehow smuggled out of AT&T stores? Given the scale (millions of phones?) maybe he was buying them in bulk from distributors and unlocking them for resale?

When phones were unlocked fraudulently without AT&T's authorization and customers switched service to other carriers, the fraudulent transactions deprived AT&T of the stream of payments that were due under the service contracts and installment plans

Someone got in the way of you exploiting your customers? So sad, let me play you a song on the world's smallest violin...

Honestly, unless the phones were stolen, I don't really have a problem with these unlocks.

Just wanted to say that I had a hell of a time with AT&T when I wanted to pay off the phone and move to another carrier. They did not have a way for me to do that outside of me just switching which prompted the fee for breaking the contract. At that time I had to wait 30 days for the next bill with that fee, so I could pay it.

Once that was processed my phone was unlocked and I could bring it to the carrier I chose. All in all it cost me buying an iPhone SE to use for the 45-60 days that it took for AT&T to unlock my phone.

Prior to that I called all over the place telling them to charge me the fee so I could pay it and then unlock my phone prior to bringing it to the new carrier.

It was an ordeal, I can understand why people would circumvent the process entirely. If I could have, I would have. I wanted to pay the fee, but there was no way for AT&T to do that prior to be breaking my contract. Crazy.

I get that the co-conspirators were probably poorly paid being call center reps, but 1) how did they have the level of access required to install software and hardware in the building that would facilitate outside access, 2) how did a guy in Hong Kong make contact with and establish rapport with employees in Washington state, and 3) why would anyone in their right mind think this was a good enough idea to risk their job and/or future ability to get a job?!

That's like the old airline question: did anyone give you an item or package to take on the plane with you? Only an idiot would say yes; an even stupider person would take said item.

If they didn't unethically lock their phones in the first place, criminals couldn't set up conspiracy rings to unlock them. When you sign a contract and are on a payment plan for a phone, you are still on the hook for the cost of the phone, regardless of whether you cancel the service or not, so whether the phone is unlocked or not is irrelevant. Locking the phone is purely an anti-competitive measure.

I find it to be a shitty practice, but (unpopular opinion incoming) if carriers are selling phones at a reduced rate on-contract, then I can kind of see not allowing to move the phone until said contract has expired. Sure, they can come after you for the rest of the (reduced) price of the phone, but the point in reducing the price is that they make that back up in service fees. Once the contract is complete, then the phone gets unlocked. Or that should just be included in the ETF.

Honestly I feel like we shouldn't be buying phones through carriers to being with (I personally do not). You pay more, but get the ability to move the phone where you want when you want. I don't buy my computer through Comcast, why would I buy my phone through AT&T?

One of the things not mentioned in this article was that during this time period, "unlocked" phones really didn't exist. Most phones were locked to a specific carrier, and there was a legal gray area around the ability to do so.

I can specifically recall the launch of the Lumia 1020 being affected by this. People could walk into the Microsoft Store, pay full retail price for a 1020, and yet AT&T would refuse to unlock the phone despite them having the receipt. So of the 2 million phones I wonder how many were legitimate unlocks where AT&T refused to unlock the phone despite the customer paying out in full for their device.

Why were AT&T's systems programmed to allow an unlock, if the customer had not completed the terms of their service agreement?

AT&T itself is just as much as fault for not covering their bases.

How are call center employees going to pay those fines?

You pretty much always need a way to manually override stuff like that, because sometimes the software has a bug and makes the wrong decision (e.g. not unlocking someone who has met the terms).

Yes, the bug should be fixed (and for most companies, it will be eventually), but you want a faster solution for your customers, so you give your support people those tools.

I think it would be best to build the software as mdporter described and then require escalation to a supervisor to override any incorrect locks. It only shifts the problem slightly, but it decreases the number of people who can game things and still accomplishes the task with minimal friction for the customer.

Three former AT&T customer service reps from a call center in Bothell, Washington, already pleaded guilty and agreed to pay the money back to AT&T.

It's a little sketchy that it sounds like the bribes are being remitted to AT&T rather than a portion as provable civil damages and the rest going to the DOJ. Just feels gross we all know those bribes will now be used as "free speech" by AT&T with legislators to keep the practice of locking phones to a network legal.

If they didn't unethically lock their phones in the first place, criminals couldn't set up conspiracy rings to unlock them. When you sign a contract and are on a payment plan for a phone, you are still on the hook for the cost of the phone, regardless of whether you cancel the service or not, so whether the phone is unlocked or not is irrelevant. Locking the phone is purely an anti-competitive measure.

Well beyond a reasonable doubt locking the phone helps reduce theft and fraud.

Maybe, but look at AT&T's position here, that's not the benefit of locking that they're highlighting.

Just because something is good in one situation does not mean that it is not bad (or even worse) in another.

Why were AT&T's systems programmed to allow an unlock, if the customer had not completed the terms of their service agreement?

AT&T itself is just as much as fault for not covering their bases.

How are call center employees going to pay those fines?

You pretty much always need a way to manually override stuff like that, because sometimes the software has a bug and makes the wrong decision (e.g. not unlocking someone who has met the terms).

Yes, the bug should be fixed (and for most companies, it will be eventually), but you want a faster solution for your customers, so you give your support people those tools.

I think it would be best to build the software as mdporter described and then require escalation to a supervisor to override any incorrect locks. It only shifts the problem slightly, but it decreases the number of people who can game things and still accomplishes the task with minimal friction for the customer.

Maybe. There are pros and cons to each option. It's entirely possible that the equation ends up favoring any of these solutions.

Did anyone else read this story and laugh, then feel very vaguely bad about laughing, since it was a crime?

I'm a fan of Robin Hood, so my first impression was, "Good for you!" I mean, malware = bad, yes, but it sounds like straight-up theft by taking advantage of AT&T's tendency to force people to stay on their network.

So it's kind of a case of two wrongs making a sort of, kind of, right - if in no other sphere than that of a kind of social justice.

If a phone is unlocked before it has been paid off, resulting in a customer switching to another carrier, AT&T might not be able to collect the rest of the payments, a DOJ indictment of Fahd noted.

Don't AT&T plans have huge ETFs that they hit you with if you cancel before the end of the contract period? Or were these guys unlocking unactivated phones that were somehow smuggled out of AT&T stores? Given the scale (millions of phones?) maybe he was buying them in bulk from distributors and unlocking them for resale?

It might not be of much use to honest customers; but they probably weren't the intended user.

The way the normal scam probably worked (based on VZWs arguments for why they should be allowed short term locks on new sales) is thieves would use stolen card numbers acquired on the darknet to order phones, use the fraudulent unlock service to remove ATTs tentacles, and then sell them into the gray market before the people whose credit cards were used have a chance to notice and dispute the charge.

That... that's... let's do some math here... that is 50 fucking cents per phone.

Your phone's security can be breached by buying the AT&T dude a candy bar, apparently.

I'll assume they get passed on a truckload of candy bar's at a time.You figure they could get away with 100 unlocks per day without raising an eyebrow to like $50 a day $250 a week. For 2 hours of work spread out a week's time. So $125/hr for a 2 hour side job while you're at work sounds good.

If they didn't unethically lock their phones in the first place, criminals couldn't set up conspiracy rings to unlock them. When you sign a contract and are on a payment plan for a phone, you are still on the hook for the cost of the phone, regardless of whether you cancel the service or not, so whether the phone is unlocked or not is irrelevant. Locking the phone is purely an anti-competitive measure.

Their payment plans are effectively a no interest loan. You are free to put the phone on your credit card with %17 interest if you don't want it locked to the carrier

If they didn't unethically lock their phones in the first place, criminals couldn't set up conspiracy rings to unlock them. When you sign a contract and are on a payment plan for a phone, you are still on the hook for the cost of the phone, regardless of whether you cancel the service or not, so whether the phone is unlocked or not is irrelevant. Locking the phone is purely an anti-competitive measure.

Their payment plans are effectively a no interest loan. You are free to put the phone on your credit card with %17 interest if you don't want it locked to the carrier

Are they a no interest loan though?In the EU, where consumer protection laws tend to be much stronger than in the US, it's usually possible to work out the true cost of a phone on contract because of free markets in phones and unbundled contracts. The tl;dr is that "no interest" is far from the truth. One wonders if in the US phones are sold off contract at highly inflated prices so as to make contracts look like zero interest.

If a phone is unlocked before it has been paid off, resulting in a customer switching to another carrier, AT&T might not be able to collect the rest of the payments, a DOJ indictment of Fahd noted.

Don't AT&T plans have huge ETFs that they hit you with if you cancel before the end of the contract period? Or were these guys unlocking unactivated phones that were somehow smuggled out of AT&T stores? Given the scale (millions of phones?) maybe he was buying them in bulk from distributors and unlocking them for resale?

It might not be of much use to honest customers; but they probably weren't the intended user.

The way the normal scam probably worked (based on VZWs arguments for why they should be allowed short term locks on new sales) is thieves would use stolen card numbers acquired on the darknet to order phones, use the fraudulent unlock service to remove ATTs tentacles, and then sell them into the gray market before the people whose credit cards were used have a chance to notice and dispute the charge.

Another scam was to buy a phone with a two-year plan, then report it stolen and then request for a replacement phone which you would get for a fraction of the MSRP price, and you could do that about two to three times; with identity fraud that was quite easy to do since the livelihood of the people in sales depend on volume rather than integrity.

Once the phone was out of the shop, the monthly payments were someone elses's responsibility.

If they didn't unethically lock their phones in the first place, criminals couldn't set up conspiracy rings to unlock them. When you sign a contract and are on a payment plan for a phone, you are still on the hook for the cost of the phone, regardless of whether you cancel the service or not, so whether the phone is unlocked or not is irrelevant. Locking the phone is purely an anti-competitive measure.

Their payment plans are effectively a no interest loan. You are free to put the phone on your credit card with %17 interest if you don't want it locked to the carrier

Are they a no interest loan though?In the EU, where consumer protection laws tend to be much stronger than in the US, it's usually possible to work out the true cost of a phone on contract because of free markets in phones and unbundled contracts. The tl;dr is that "no interest" is far from the truth. One wonders if in the US phones are sold off contract at highly inflated prices so as to make contracts look like zero interest.

Most of the ones I've looked at sold at MSRP, with the exception of deals where they knock off $100 of the selling price like the current Sprint Pixel 3a promo.

As the old saying goes, if you pay suggested retail you're usually being overcharged.

If they didn't unethically lock their phones in the first place, criminals couldn't set up conspiracy rings to unlock them. When you sign a contract and are on a payment plan for a phone, you are still on the hook for the cost of the phone, regardless of whether you cancel the service or not, so whether the phone is unlocked or not is irrelevant. Locking the phone is purely an anti-competitive measure.

Their payment plans are effectively a no interest loan. You are free to put the phone on your credit card with %17 interest if you don't want it locked to the carrier

Are they a no interest loan though?In the EU, where consumer protection laws tend to be much stronger than in the US, it's usually possible to work out the true cost of a phone on contract because of free markets in phones and unbundled contracts. The tl;dr is that "no interest" is far from the truth. One wonders if in the US phones are sold off contract at highly inflated prices so as to make contracts look like zero interest.

The 2 years contracts are mostly extinct now in the U.S. The device payment plans are not part of a service contract

Just wanted to say that I had a hell of a time with AT&T when I wanted to pay off the phone and move to another carrier. They did not have a way for me to do that outside of me just switching which prompted the fee for breaking the contract. At that time I had to wait 30 days for the next bill with that fee, so I could pay it.

Once that was processed my phone was unlocked and I could bring it to the carrier I chose. All in all it cost me buying an iPhone SE to use for the 45-60 days that it took for AT&T to unlock my phone.

Prior to that I called all over the place telling them to charge me the fee so I could pay it and then unlock my phone prior to bringing it to the new carrier.

It was an ordeal, I can understand why people would circumvent the process entirely. If I could have, I would have. I wanted to pay the fee, but there was no way for AT&T to do that prior to be breaking my contract. Crazy.

That is interesting. My phone is paid off now, but when I was under monthly installments with AT&T I had the option to pay in full at any point (online). I could not pay ahead, like an extra $200 to bring the balance down faster, but I could pay the balance in full in one final payment.